Method for producing software for controlling mechanisms and technical systems

ABSTRACT

In a method for controlling mechanisms or technical systems, the mechanisms or technical systems to be controlled are stored in a controller with their states, and with associated signal formers of sensors and actuators, whereby starting from a defined reference state at the onset of the activation of the controller, the actual states signaled by the technical system via the sensors are continuously compared with the specified state, the specified state being stored in the controller, and, based on this comparison, every deviation from the specified state is identified in the technical system, and, when initiated, a new instruction that changes the state of the mechanisms or of the technical system updates the specified state for the comparison and monitors the time till the acknowledgment of the new state, and sensor signals and comparable information exclusively serve the state identification of elementary functions and state changes exclusively ensue upon the initiation of elementary instructions.

BACKGROUND OF THE INVENTION

The invention refers to a method for the control of mechanisms andtechnical systems, as well as to the devices of an electronic control tobe designed for that and a method for the creation of the controlsoftware.

From DE 44 07 334 A1 a method is known for the creation andrepresentation of controls by that controls can be easily graphicallydesigned. The desired function of the control is graphically enteredinto a computer as an event-driven network of symbols with freelychoosable connections, or is represented by a computer. The networktransformed into a machine readable form can be used by the computer ora separate control computer as control programme. The method is suitablefor programmable logic controllers and DDC-systems.

From DE 195 13 801 A1 a method is known for the automatic generation ofa control for a process in that a non-deterministic automaton isdetermined that describes all physically possible behaviours of thecontrol, in which the permissible state transitions of the process to beinfluenced by the control are described, in which the automaton is setsuch that it fulfils given safety requirements, in which the automatonis set such that it fulfils the function of the system consisting of thecontrol and the process. The method uses the programming language CSLxtto describe the components of the system specification. For thespecification of the process model, not the state transitions aredescribed in detail, but so-called predefined qualitative constraintsare used that serve to automatically generate the control.

It is disadvantageous that the description of state transitions can befaulty on a higher language level and a later correction of the controlcannot be made easily.

Furthermore, programmable logic controllers (PLCs), hardware PLCssoftware PLCs, programming systems and programming languages, Simatic S7programming to the IEC 1131-3 standard, tandard programming languages:ladder diagram, logic diagram, selection logic, Structured Text areknown.

It is disadvantageous in the state-of-the-art that using Booleanalgebra, in principle, conditions resulting from inputs (sensors) areformulated to set outputs (actuators) that are continuously recalculatedcyclically. This programming approach has developed historically.Evidence of this state is produced by the fact that according to thegenerally accepted standard, the “ladder diagram” can still be used as aprogramming language.

For all the CAE support by graphic surfaces and high-level languages,basic imperfections have remained such as confusingness of the programmeand its individual character moulded by the programmer, never completetestability of the programme concerning its functionality, because theresult of the cyclic calculations can be influenced by combinatory andtime-dependent accidents, and the difficult design of sophisticatederror reactions.

It is the objective of the invention to describe a control formechanisms or technical systems that solves the control problem withoutuse of conditions of Boolean algebra whereby a clearly arrangedprogramme free of individual mouldings and completely testable is to becreated.

BRIEF SUMMARY OF THE INVENTION

The essence of the invention is that derived from the functionality ofthe mechanism or technical system to be controlled, particularly withits development, using technical means the functionality of the deviceto be controlled is filed, managed and updated in a control computer,which is designed to be a control, as a complete representation of thedesired state of the system according to the instructions and acomparison of that desired state with the actual state of the technicaldevice is made via the sensor signals transmitted. This desired/actualstate comparison is continuously made for all sensor signals of thesystem to be controlled. If there are deviations of the actual statefrom the desired state, prepared algorithms are processed and prepareduseful decisions are activated. Thus, each sensor signal is comparedwith exactly one desired signal and this comparison is solely made toidentify the state of the technical system. Changes in state areeffected exclusively through instructions on a functional languagelevel. These instructions are managed in a special domain of thecontrol. When an instruction is started, the desired state in therepresentation is updated and the change of the actual state of thetechnical system that fulfils the instruction is checked after apredetermined time.

The devices to be controlled are stored in the control in form of theirelementary functions with the states of these elementary functionsdefined according to the instructions and the appropriate signalrepresentations of the sensors and actuators. As a result, starting froma defined reference state at the beginning of the activation of thecontrol for all elementary functions, a continuous comparison of theactual states signalized by the technical system through the sensorswith the desired state stored in the control is made. According, eachdeviation in the system to be controlled from the desired stateaccording to the instructions is detected. As a result, a newinstruction that changes the state of the technical system updates whenstarted and the desired state for making the comparison and supervisesthe time period until the new state defined by that instruction issignalized on the base of also stored permissible transition times. As aresult, sensor signals and comparable information exclusively serve forthe identification of the state. Furthermore, state changes take placeexclusively through the start of instructions that are freely definedfor that to occur on a logical-functional language level and to whichthe elementary instructions defined by sensor and actuator signals areassigned.

Advantageously the states of all elementary functions are managed asactual desired states with the appropriate actuators and sensors in aprogramme module referred to as EF-controler. Thus each change in stateof the technical system that is detected by the sensors is evaluated forits equivalence to the desired state managed in the control.

A state of an elementary function of the signal representation whichdescribes the state that is not equivalent to the desired state isadvantageously transmitted to a programme module referred to as“not-desired state evaluator”, in which for selected states ofelementary functions reaction instructions are stored that are startedon equivalence to the state transmitted for check. As a result, in allcases specific error messages are created.

To an instruction as a set of instructions, the new desired states ofthe sensors and actuators, the times of transition until the new desiredstate and the reaction instructions for selected state messages to bestarted in case of deviations, in each case classified as reactioninstructions to be set and deleted before the start and after theexecution, respectively, are assigned. As a result, advantageously aprogramme module referred to as “instruction editor” undertakes theorganization required for that in the system. Furthermore, in thisprogramme module the release of a subsequent instruction in case ofinstruction sequences after signalling of the execution of thepreceeding instruction and the organization of parallel instructions bytemporary starting of parallel execution sequences according to thedemand is realized.

Advantageously, in the organized control system sensor signals and otherinformation to be controlled are integrated into a continuous data wordin a programme module here referred to as “state monitor”. As a result,the address of the appropriate elementary function in the EF-controlermaintains assigned to the signals and for executing the comparison, eachdesired signal is faced by the actual signal in equal structure so thata desired signal/actual signal comparison is made possible that can becarried out very effectively by a programme. As a result, any deviationof a signal after transmission for evaluation is entered as the newcomparison state so that the comparison is always made to the stateevaluated last. Furthermore, each change in state is evaluated onlyonce. As a result, the comparison of the desired and actual signals ismade directionally and after an interruption for the evaluation of adeviation the comparison is continued at the signal succeeding theinterruption place. This ensures that each state change that issufficiently long in time can be detected and evaluated.

In a control system organized in this way each recorded state change isrecorded by the programme module state monitor in an event-time protocoland stored there. As a result, in the simplest way process parametersdefined thereby become accessible so that also, e.g., signal vibrationscan be detected and, if necessary, filtered out.

Advantageously, the programme modules that are subject to real-timeprocessing requirements—instruction editor, EF-controler, state monitorand not-desired state evaluator-are combined to a functional unit thatis referred to as “execution computer”, for which a special processor isused. The instructions formulated only on the logical-functionallanguage level of the actual application programmes are organized in asecond functional unit referred to as “instruction computer”, which isnot subject to real-time processing requirements. As a result, in caseof a bigger and more variable instruction volume the instructioncomputer usefully has an own processor and here also the communicationcan be designed to be comfortable.

Instructions transmitted from the instruction computer to the executioncomputer are advantageously executed without being checked. As a result,the execution computer carries out each action autonomously. Therefore,in the instruction computer blocking lists are managed on thelogical-functional instruction level for the mutually exclusive states,which take on that proportion of blockings that is determined on theprocess and machine sides. As a result, here in the instruction computeran application process instruction (in addition to the information whichinstructions have to be transmitted to the execution computer) alsodefines for which other application instructions blockings are to be setor deleted during or after the execution.

The execution computer can execute a received instruction autonomously.As a result, the instruction computer makes the checked subsequentinstruction available to the execution computer in an instruction bufferas intermediate storage. After that, the instruction computer updatesthe state in the instruction computer to the condition that will beafter the execution of this instruction is made available. Furthermore,the subsequent instruction is checked in the instruction computeralready during the execution of the preceeding instruction in theexecution computer so that as a rule a faster programme run can beachieved. Non-compatible instructions are identified and marked as notpermissible already in the instruction computer and such an instructionis not started. If the prepared instruction is permissible, the stateexpected for the check of the instruction in the instruction computerwill appear, error-free execution provided. Furthermore, programmerunning is continued while in case of an error, a reset is carried outto the state with regard to the current instruction as error state.

When producing a control programme the user of this control isadvantageously supported by a dialogue with a development programme. Asa result, the first description of the system to be controlled demandsinformation on the hierarchical functional structure of the system. Thelower end of this structure, in each case, is regarded as elementaryfunction and each elementary function has to be defined in itsinstruction states also within a dialogue. Furthermore, the sensorsignals, actuators, control times for the transition between the statesaccording to the instructions and a reference state for the start has tobe assigned. The definition of the integration of more complex partialsystems can also take place. As a result, the user of the control systemprovides only the above primary data and the control developmentprogramme therefrom generates the system elementary function memory, theEF-controller and the signal vector for the state monitor. Thus thetechnical system can already be put into operation, checked forerror-free signal definition in the reference state, controlled with thedefined elementary functions and be tested and checked as far aspermissible with regard to single instructions.

For such a dialogue-supported system the application instructions areadvantageously produced in such a way that in an instruction libraryelementary functions from the previously defined elementary functionsare assigned to the near-to-process application instructions as singleinstructions, parallel or serial instruction sequences. In addition, theblocking conditions on the instruction level in the instruction computerand, for the instruction set to be transmitted to the execution computeralso the reaction instructions for selected deviations combined withsuitable error messages, which have to be entered into the not-desiredstate evaluator, are defined.

For a control system with that structure changes of the elementaryfunctions maintain locally limited. Any time, also with calculable localeffect, new application instructions, blocking conditions or errorreactions can be entered, extended or changed, or without any reactionto already defined programmes, specified by the allocation of state datafor the system, new assignments of instructions and instructionconditions can be carried out.

The logical-functional structure of each programme produced in this waycan be completely checked. Important additional process information isaccessible through the event-time protocol. An unambiguous cause isdiagnosed for each malfunction without any additional measures. Thestate of the system can be completely indicated at any point in time ina defined manner. A copy with the same capability to describe the systemto be controlled can be maintained in an external control computer thathas been connected into a network with the system. The elementaryfunctions and the defined instructions can serve as a direct functionalbase for the visualization of the systems and processes to becontrolled. Furthermore, the communication of the control programme withother intelligent programme modules, such as simulations for processoptimization, can easily be organized.

For small-scale controls with a limited instruction volume the modulesof the execution computer and of the instruction computer can based on aprincipally equal structure and function of the control be enclosed in acontrol hardware module with fixed instruction sets, which are activatedwith simple operating elements whereby an external computer can becoupled over a suitable interface so that the read-in of the controlsoftware and if necessary, also a comfortable communication anddiagnosis can be realized. Hence comparable control characteristics andcomfort at a reasonable price can be achieved.

The solution according to the invention avoids the imperfections of thestate-of-the-art by a programming approach that is unusual up to now,which makes use of the designed, hence impressed functionality of thesystem. New means completely substitute the signal interconnection usingBoolean algebra in condition equations to set outputs.

BRIEF DESCRIPTION OF THE DRAWINGS

Accompanying the specification are figures which assist in illustratingthe embodiments of the invention, in which:

FIG. 1 representation of a basic classification of the functional rangesin the structure of the control;

FIG. 2 hierarchically classified functional structure of a technicalsystem;

FIG. 3 information to be defined for the elementary functions on thebasis of a general example;

FIG. 4 simple technical system in a schematic representation;

FIG. 5 functional structure according to FIG. 4;

FIG. 6 definition of the elementary functions according to FIG. 4;

FIGS. 7A–7B representation of input and structure of a data frame torealize the control;

FIG. 8 structure of an execution computer;

FIG. 9 content of an instruction as instruction set for the instructionbuffer;

FIGS. 10A–10B representation of the function of an instruction starter;

FIG. 11 representation of the function of an EF-controler;

FIG. 12 representation of the function of a not-desired state evaluator;

FIG. 13 representation of the function of a state monitor;

FIG. 14 structure of an event-time protocol;

FIG. 15 an example of a formation basis for formal instruction names;

FIG. 16 an example of the definition of application instructions;

FIG. 17 an example of a blocking list managed in a control;

FIG. 18 an example of the determination of error instructions;

FIG. 19 an example of a control with more complex functions;

FIG. 20 structure and name definition according to FIG. 19;

FIG. 21 all data for an instruction library of an instruction computeraccording to FIGS. 19 and 20; and

FIG. 22 features of an embodiment as small-scale control.

DETAILED DESCRIPTION OF THE INVENTION

FIG. 1 shows the basic classification of the functional ranges in thestructure 1 of the new control. The time-critical functions of thedesired signal/actual signal comparison, reactions to deviations of theactual compared to the desired state and the activation ofstate-changing actuators according to instructions are assigned to theexecution computer 2. Instructions received from the instructioncomputer 3 are processed by the execution computer 2 without check. As aresult, the execution of an instruction and the reaction to deviationsof the actual compared to the desired state are realized autonomously bythe execution computer 2. It is useful, or even compulsory to reachshortest reaction times of the control in more complex systems, toallocate to the execution computer 2 a hardware of its own with an ownprocessor.

In the instruction computer 3 all control operations are managed on alogical-functional level. Here from device-related elementaryinstructions near-to-process application instructions are defined, filedand activated as single instructions, parallel or serial instructionsequences. Here on the logical instruction level also the management ofthe blockings for mutually exclusive States as alternatives to formerlocks and condition formulations over Boolean signal interconnections iscarried out.

In this control concept all jobs that are not assigned to the executionor instruction computers are assigned to the application computer 4.This above all is the case of problems close to the process such as inthe workpiece programme range of a CNC-control.

This control can be configurated to be appropriate for problems ofdifferent size and complexity. As a result, equal principle apply of allconfigurations in the development system. In case of a very small numberof instructions, the share of the instruction computer 3 can be assignedto the execution computer 2 as a software zone. Execution andinstruction computers with own processors would be used for typical PLCproblems of today with the system operated via operating and signallingelements as well as the monitor. Further, it is possible in allembodiments to couple a comfortable communication system, e.g. atransportable computer, over a simply designed interface for programmingand commissioning or, in case of malfunction, diagnosis purposes.

FIG. 2 shows as an example the hierarchical functional structure 5 of atechnical system. It is based on the development methodology thatspecific of each technical system, such a system structure can be builtfrom the functional unit of the total system 6 over different functionalunits of the subsystems 7 up to the functional units elementaryfunctions 8. In terms of the new control the final branches of this treestructure are elementary functions characterized in that thesefunctional units can have different states and cannot be further dividedusefully, the functional states of which being of interest on thecontrol side are no longer representative of combined states of otherelementary functional groups to be controlled, as it is characteristicof higher-order non-elementary functional units 6 and 7 in thestructure. Here the position within the system to be controlled isdecisive so that an intelligent system integrated through few elementaryinstructions is also classified as elementary function.

FIG. 3 describes using a general example the information to be definedfor elementary functions on a “data sheet on elementary functions” 9. In10 the name of the elementary function is defined that identifies thiselementary function. Usefully a functional diagram 11 shows the featuresof the states of the elementary functions with the allocation ofactuators 12 and sensors 13. In the marked areas of the statedefinitions 14 the information necessary for the control is systematizedand defined. The state definitions 14 indicate the states that can betaken by the elementary function, and the definition of thestate-assigned signal vectors 15 for the actuators 12 and sensors 13.Also here, the instructions 16 are defined that initiate the transitionto a certain state. A control time 17 is predetermined for each of thesetransitions, which as a rule can be a multiple of the probablefunctional time and is only used to detect execution errors if theordered state was not reached. By the marking, one of the possiblestates is defined as the reference state 18

FIG. 4 represents a simple technical system for that in FIG. 5 thefunction structure and in FIG. 6 the definition of the elementaryinstructions is shown.

The hierarchic function structure described here and the definition ofthe appropriate elementary functions are, in their nature, primarydevelopment contents that can be documented already in a relativelyearly phase of the product development with only little additionaleffort.

FIG. 7 shows input and structure of the data frame when the new controlis used. The editing level 19 (FIG. 7A) includes both main componentshierarchic function structure 5 and the data sheet of the elementaryfunctions 9. Each functional unit elementary function 8 in the structuremust be described by an appropriate data sheet on elementary functions9. Completeness of the data and their formal correctness isautomatically checked on the editing level. If there is a positiveresult of the check and if the user affirms the end of the systemdescription, the input is closed and the data basis of the control forthe described system is generated.

As the first step, the elementary function memory 20 is generated. Thiselementary function memory 21 contains all elementary instructions ofthe system, all system states and the information defined for them, asdescribed in FIG. 3. The formal name of the elementary functions arederived from the structure so that elementary functions get unmistakablenames even if equal data sheets are used.

On the second step, the EF-controler 22 is generated. For this, in theEF-controler 23 (FIG. 7B) the reference state of the system is generatedfrom the defined reference states 18 of all elementary functions. Forthe actual state of the elementary functions also managed here, the datastructure for the storage of the actual state of the elementaryfunctions 25 is established by doubling the data structure of thedesired state of the elementary functions 24. Already here, whenoperating the control, a comparison could be made between the desiredand the actual states of the sensors of the elementary functions.

Greater effectivity is achieved by the third step referred to as 26 forthe generation of the state monitor 27 (also described in greater detailfurther down). In this step, from the desired signal vectors of theelementary functions 28 and simultaneously from the actual signalvectors of the elementary functions 29 the desired signal vector of thesystem 30 and the actual signal vector of the system 31 are formed. Eachsensor in the system signal vector maintains the address of its originassigned to it as the name of the elementary function 10 in theEF-controler 23.

FIG. 8 shows the structure of the execution computer 2 and itsinteraction with the instruction computer 3. The execution computer 2receives an application instruction to be executed 32 from theinstruction computer 3. This instruction is decoded in a moduleinstruction editor 33. In this process application instructions aretransformed into their appropriate elementary instructions and from theelementary function memory 21 the complete information content of theinstruction set is given to these elementary instructions. Thisinstruction set is entered into the instruction buffer 34 of theexecution computer.

After acknowledgment of the termination of the previous instruction, themodule instruction starter 35 starts processing of the instructionwaiting in the instruction buffer 34 and carries out all activitiesinvolved. This concerns actualisation in the module EF-controler 36, inthe module state monitor 37, and in the module not-desired stateevaluator 38. The module instruction starter 35 enters the new desiredstate of the sensors for the concerned elementary function into themodule EF-controler 36 and by setting the outputs according to theinstruction, starts the appropriate actuator instruction. Also startedis the control time 17 assigned to the execution of the instruction. Inthe not-desired state storage 39 the components of the instruction set“Not-desired instructions and messages” are entered.

After execution of the start activities by the instruction starter 35,the module state monitor 37 again takes on the comparison of the desiredsignal vector of the system 30 with the actual signal vector of thesystem 31. If this comparison detects a deviation between desired andactual signals, in the EF-controler 36 the actual state of the deviatingsignal in the actual signal vector of the elementary function 29 isupdated.

In the EF-controler 36 the deviation is evaluated (described in greaterdetail in FIG. 11), either (a) without any other reaction as the statedetected through the running time element “changing” and hence return ofthe activities to the module state monitor 37, (b) through the detectionof an executed instruction for equivalence of desired signal vector ofthe elementary function 28 and actual signal vector of the elementaryfunction 29 in the EF-controler 36 and hence call of the moduleinstruction starter 35, or—if neither evaluation applies—c) transmissionof the actual signal vector of the elementary function 29 to the modulenot-desired state evaluator 38. There this actual signal vector 29 iscompared with the signal vectors existing in the not-desired stateaction storage 39 and on equivalence the not-desired state instruction40 that is assigned to this case is started over the module instructionstarter 35. If there is no equivalence, return to the state monitor 37takes place. In all cases, an appropriate message 41 is created. Therange marked by 42 characterizes the time-critical activities.

FIG. 9 shows the content of an instruction 43, as it is entered asinstruction set into the instruction buffer 34 of the execution computer2. Line (1) contains the designation of the elementary function 10ordered for change, lines (2) and (3) contain the new desired state ofthe sensors, or actuators, respectively, and hence the desired signalvector of the elementary function 28, line (4) prescribes the controltime 17 in which the change of the state to the new condition has to bemade, line (5) contains the data for the updating of the entries whichapply after the start of the instruction in the not-desired state actionstorage 39 for reactions with not-desired state instructions 40, andline (6) contains the same for the updating after the instruction hasbeen processed successfully. The data on the lines (1) to (4) are inthis case directly equivalent to the definitions of the editing level 19concerning the elementary functions 8. The lines (5) and (6) cancontain, in addition, not-desired state instructions 40 from definitionsof process-related data on the application instructions 32.

FIG. 10 describes the function of the module instruction starter 35 andthe treatment of sequential instructions 44 as well as of parallelinstructions 45. The instruction buffer 34 (FIG. 10A) is always loadedby the instruction computer 3 with that instruction that follows therunning instruction. Defined instruction sequences (=sequentialinstructions 44) are not different, in this case, from separatelydefined, mutually independent instructions.

Parallel instructions 45 can be executed independently from each otherwith regard to function and time, and for a time-optimal process, dohave to be executed in parallel. For any instruction defined asparallel, therefore, an instruction buffer of its own 46 at theinterface between the instruction computer 3 and execution computer 2 isdefined, from which parallel, mutually independent instruction sequences45 can be processed. If after the execution of parallel instructions 45there are no other parallel instructions, the opened storage areas areclosed again so that only actually needed buffer memories 46 exist.

FIG. 10 shows an example of three opened parallel instructions 45, fromwhich the entered instructions 43 are started one after the other. Ifthe check 47 shows that there is no other instruction is waiting in thebuffer storage, then the appropriate parallel instruction buffer 46 isclosed and the module state monitor 37 is activated (FIG. 10B). For apositive check result 48 the instruction content 43 is appropriatelyupdated and started. After the end of these operations the moduleEF-controler 36 is activated 49. After reaching the ordered state 50 theupdatings defined therefore in the instruction set 43 are carried out bythe instruction starter 35 and then the next instruction determined andstarted.

FIG. 11 indicates the function of the module EF-controler 36. The start51 of an activity of the EF-controler is always activated by an actualchange. This is either a new desired signal vector of an elementaryfunction 28, which is entered by the module instruction starter 35 in anew instruction, or an updating 53 of the current actual state made bythe module state monitor.

The first check 54 compares the desired state to the actual state. Incase of equivalence it is checked whether the change status 55 was set.If this is true 56, a running instruction ended, otherwise 57 theordered state was regained after a faulty deviation. In either case anappropriate message is created and the module instruction starter 35 isstarted 58.

If the desired and actual states do not agree, branch 59 is processed.Again the change status is checked 60. If the change status for thiselementary function is before 61, the message “EF changing” 62 iscreated and the module state monitor 37 started. If there is no changestatus 63, the name and the current not-desired state actual signalvector 64 of the elementary function are entered into the evaluationmemory of the not-desired state evaluator 65 and the not-desired stateevaluator 38 is started.

FIG. 12 shows the function of the not-desired state evaluator 38. Thestart 66 of the not-desired state evaluator is activated by theEF-controler 36 after transmission of a not-desired state signal vector64. In the first step it is checked, whether there are entries under thename of the elementary function 10 in the not-desired state actionstorage 39. (As it has already been mentioned in FIG. 10, these entriesare updated by the instruction starter 35 as information components ofan instruction 43.) If there are no definitions for the elementaryfunction in the not-desired state action storage 39, 67, only an errormessage 67 a bearing the designation of the elementary function and thenot-desired state actual signal vector 64 with the faulty signal markedis transmitted to the higher-order control level—the instructioncomputer 3—for evaluation. Then the module state monitor 37 isre-started.

If in the not-desired state action storage 39, there is a not-desiredstate signal vector for the elementary function 68, the not-desiredstate actual signal vector 64 is, as the next step, compared forequivalence with the stored signal vector 69. If there is no equivalence70, again only a concrete error message 67 is created and the statemonitor 37 started.—If, however, there is an equivalence of the signalvector with entries in the action storage 71, the reaction instructions72 defined for this case are transmitted to the instruction starter 35to be immediately executed.

In parallel to the comparison, it is checked for the message to becreated 73, whether there is an event control 74. In case of an eventcontrol 74, the system moves in the normal functional frame, an eventwhich has been detected activates an appropriate action (e.g.,switch-off of a pump when the upper level has been reached). In thiscase, the appropriate message 75 clearly distinguishes the eventinstruction of the elementary function 76 from error states. If it isnot an event control 77, an appropriate error message 78 is created.

FIG. 13 shows the function and features of the module state monitor 37.If no other activities of the module run, the state monitor startscontinuously the comparison 80 of the desired signal vector 30 and theactual signal vector 31 of the system. This comparison always includesthe whole system signal vector and is continuously repated 81 when thereis equivalence of the compared states.

When a deviation is detected, first, it is checked whether the systemleft the waiting state und is to execute a new instruction. If this istrue 82, then the module instruction starter 35 is started. If it is nottrue, the deviating actual signal is entered into the actual signalvector of this elementary function in the EF-controler 83 and is-as ithas been explained for FIG. 11—evaluated there. A deviation can developeither by the presetting of a new desired state on the start of a newinstruction and entry into the desired signal vector 30 of the system bythe EF-controler 36, or in the other case, by a changed sensor signal inthe actual signal vector 31 of the system.

After entry of the deviating actual signal into the concerned elementaryfunction in the EF-controler, this signalled actual state is entered asthe new comparison state into the desired state comparison vector 84.This ensures that each change is evaluated only once. Therefore, thedesired comparison state of the system signal vector is defined as thecomparison with “the last evaluated state” of the system 84. This makesit possible and useful to enter the detected event into an event-timeprotocol 85 that is described in detail in FIG. 14.

After the mentioned actions of the state monitor 37, this state monitorstarts the module EF-controler 36. After evaluation, again-as within thefunctioning of the EF-controler, or instruction starter,respectively-the module state monitor is activated. It continues thedesired/actual state comparison in the system signal vector at thatsignal that follows the last not equivalent signal.

This ensures that all signals of the system signal vector are comparedone after the other and a vibrating signal cannot cause an infinite loopto run. Such a phenomenon could be imagined at another start of thecomparison at the signal just evaluated, if this signal would change itsstate with the pulse of the signal transfer time.

FIG. 14 is intended to illustrate the design of an event-time protocol85 in form of a list. The first column includes the name of theelementary function concerned by the event, column 2 the signalconcerned by the change, column 3 the changed signal state. These dataare copies of the information that the state monitor transmits to theEF-controler. If the actual system time is entered in column 4, aprocess protocol is produced that can be used in many cases. In thisexample, it is marked by the first and last entries that the elementaryfunction A11 with the signal E1 has again reached the first state. Thetimes assigned to the events could be used if demanded as a precisemeasure of such a period. This protocol makes it also possible to detectsignal vibrations and activate filter if needed, that can reduce, forexample, the scanning frequency for the vibrating signal. Dependent onthe process and importance of the information as well as the availablestorage, longer periods of time can be recorded and stored, which can beused for the diagnosis of long-time changes, or based on a fixed storagevolume only the last, in each case, period can be available for, e.g.,the evaluation of a breakdown.

FIG. 15 shows for the example of FIGS. 4 to 6, the basis of formation ofthe formal instruction names 86, which are derived from the functionstructure 5 and can be used for an unambiguous designation of theelementary functions in application instructions.

In FIG. 16, the definition of application instructions and thedetermination of instruction blockings 88 for the applicationinstructions is shown for the example of FIGS. 4 to 6.

FIG. 17 shows, as an example, the blocking list 89 of the system Lockingdevice managed in the control, and is intended to illustrate the dynamicaction of the blocking conditions determined in FIG. 16. As to FIG. 17,it has to be emphasized that it is an auxiliary representation and thereis no such table in the control. Only a storage area exists, in which atdifferent points of time (shown here by t1 to t8) different conditionsare entered by the instructions that have been effective up to thesepoints of time.

In column 1 all instructions of the system are listed. If an activatedapplication instruction contains a blocking condition for anotherinstruction, the causing instruction is entered as blocking condition inthe other instruction. In this example, with its activation at time t7,the instruction EF2-B2 (locking) blocks the instruction EF1-B1 (Opendoor mover). As it has been determined, the locking bar should only beput in, if the door is closed-therefore the entry of the blocking atEF2-B2 with ordering the instruction “(Open the door) EF1-B1” at timet3.

It is essential for the function of the control that after thetransmission of an application instruction 32 to the instructioncomputer 34 of the execution computer 2—which instruction the executioncomputer can execute autonomously as mentioned—the instruction computer3 updates its state as it will be after correct execution of thisinstruction. For this state the permissibility of the next instructionis checked even during the execution of the previous instruction andthis instruction released, if appropriate. In the example, during theexecution “Unlocking the bar” at t1 the instruction “Open the door” isin the instruction buffer, which will be started at the time point t3and will then simultaneously activate the check of the instruction“Close the door” for the time point t5 under the conditions of the timepoint t4.

This allows in a time-optimal way that with the termination of aninstruction the subsequent already checked instruction can start or,respectively, it is detected even during the execution of an instructionthat the prepared next instruction is not permissible for the systemstate coming. If there is an error in the instruction running in theexecution computer, the instruction computer is reset updated to theerror state.

FIG. 18 presents an example for the determination of error instructions.Assume as critical that on closing—for any reason—the door meets aninserted bar. FIG. 18 shows the formulation of an instruction error ascomponent of the instruction set “Close door mover”. From the state ofthe elementary function Bar lock E1=1, “Bar not free” is concluded andas the error reaction in the not-desired state evaluator, the process“Close door” is transformed into “Open the door”.

Analyses show that as a rule, only few error instructions are requiredat a certain time point. On principle it is possible to react to anyevent by each instruction.

FIG. 19 is another example for the potential of the control for thesolution of more complex problems and different application requirementsof a plant. For those different application requirements and theinstruction and blocking conditions resulting therefrom the term“status” 90 will be used.

It is assumed that two door devices be controlled either of which areequal to the example discussed so far. A device switch for each demandedoperational status is added: in state S1 the doors can be independentlyof each other, in S2 both doors are synchronously opened or closed,respectively, and in S3, operated as a lock chamber, always one of thedoors maintains closed.

FIG. 20 shows the structure and the name definitions as they aredesigned by the control using the data given on the editing level 19.

FIG. 21 indicates all data for the instruction library 92 of theinstruction computer necessary to solve the problem. The determinationsestablished for the closing device of one door are doubled for thedirect door control of a copy on the generation under the new systemname. All determinations on the control status of both doors arerealised over new stats instruction sheets 91 that are selected over thestatus switch. For the status S3 instruction sheet, no elementaryfunction was used but, by “Door x”, a higher-order hierarchical level inthe function structure. Thus, very effectively, whole function areas canbe blocked against state changes or selected by formulations such as“All except XXX”.

FIG. 22 shows features of a small-scale control 94 in a technical device95. The relatively small and fixed instruction volume of the small-scalecontrol 95 is arranged in a control hardware module that includes thefunctionalities of the execution computer 2 and the instruction computer3. Operation is by the usual switch and indication devices 96. Over aninterface 97, the computer 98 can be coupled so that all thefunctionality of the control for entering the control software andcomfortable communication and diagnosis are possible.

The present invention may be embodied in other specific forms withoutdeparting from its spirit or essential characteristics. The describedembodiments are to be considered in all respects only as illustrativeand not as restrictive. The scope of the invention is, therefore,indicated by the appended claims and their combination in whole or inpart rather than by the foregoing description. All changes that comewithin the meaning and range of equivalency of the claims are to beembraced within their scope.

NOMENCLATURE

-   1. Structure of the control-   2. Execution computer-   3. Instruction computer-   4. Application computer-   5. Function structure-   6. Functional unit Total system-   7. Functional unit Subsystem-   8. Functional unit Elementary function-   9. Data sheet for elementary functions-   10. Name of the elementary function-   11. Function diagram-   12. Actuators-   13. Sensors-   14. State definitions-   15. Signal vectors-   16. Elementary instructions-   17. Control time-   18. Reference state-   19. Editing level-   20. Generation of the elementary function memory-   21. Elementary function memory-   22. Generation of the EF-controler-   23. EF-controler-   24. Desired state of the elementary functions-   25. Actual state of the elementary functions-   26. Generation of the state monitor-   27. State monitor-   28. Desired signal vector of the elementary function-   29. Actual signal vector of the elementary function-   30. Desired signal vector of the system-   31. Actual signal vector of the system-   32. Application instruction-   33. Instruction editor-   34. Instruction buffer-   35. Module instruction starter-   36. Module EF-controler-   37. Module state monitor-   38. Module not-desired state evaluator-   39. Not-desired state action memory-   40. Not-desired state instruction-   41. State message-   42. Time-critical functional region-   43. Content of an instruction-   44. Sequential instructions-   45. Parallel instructions-   46. Instruction buffer for parallel instructions-   47. Check result instruction buffer “No”-   48. Check result instruction buffer “Yes”-   49. Activation of the EF-controler-   50. Activities instruction starter when “ordered state” is reached-   51. Activity start EF-controler-   52. Change of the desired state in the EF-controler due to    instruction-   53. Change of the actual state in the EF-controler due to sensor    message-   54. Comparison of desired and actual states in the EF-controler-   55. Change status in the EF-controler-   56. Alternative “Change status”-   57. Alternative “No change status”-   58. Activation of the instruction starter by the EF-controler-   59. Alternatives for non-equivalence of the desired and actual    states in the EF-controler-   60. Check for change status non-equivalence of the desired and    acutal states in the EF-controler-   61. Activity for change status and non-equivalence of the desired    and acutal states in the EF-controler-   62. Message from the EF-controler “Elementary function (name of    elementary function) changing”-   63. Alternative in the EF-controler for actual state not equal to    desired state and no change status-   64. Not-desired state actual signal vector-   65. Evaluation storage not-desired state evaluator-   66. Start of not-desired state evaluator-   67. Action when not-desired state elementary function has no entry    in the not-desired state action storage-   67 a. Error message on not-desired state elementary functions-   68. Action when not-desired state elementary function has an entry    in the not-desired state action storage-   69. Comparison of the not-desired state signal vector with the    not-desired state signal vector stored in the not-desired state    evaluator-   70. Action for non-equivalence not-desired state actual signal    vector with not-desired state signal vector in the not-desired state    evaluator-   71. Action for equivalence not-desired state actual signal vector    with not-desired state signal vector in the not-desired state    evaluator-   72. Reaction instructions in the not-desired state action memory-   73. Check whether not-desired state actual signal vector belongs to    an event control-   74. Event control-   75. Message event control-   76. Content of the message event control-   77. Error message if no event control-   78. Content of the error message-   79. Start of the module state monitor-   80. Comparison of the desired signal vector of the system with the    actual signal vector of the system-   81. Programme loop for the comparison of the desired signal vector    of the system with the actual signal vector of the system-   82. Transmission of the activity from state monitor to instruction    starter-   83. Entry of changes actual sensor signal from state monitor in the    EF-controler-   84. Comparison desired vector “last evaluated state” in the state    monitor-   85. Event-time protocol-   86. Formal instruction names-   87. Instruction blockings-   88. Blocking list in the instruction computer-   89. Blocking list of th example Locking device-   90. Status of a device-   91. Status instruction sheets-   92. Instruction library-   93. Application programme-   94. Small-scale control-   95. Technical device with small-scale control-   96. Switching and indicating devices-   97. Interface for computer connection-   98. Transportable computer

1. A method for controlling a mechanism by a controller, comprising: a)defining elementary functions and states of the mechanism according toinstructions and signal vectors of sensors and actuators; starting froma predefined reference state at a beginning of control activation,comparing an actual state of the mechanism transmitted by the sensorswith a stored desired state for all elementary functions; and detectingdeviation in the mechanism from the desired state according to theinstructions; b) applying an updated elementary instruction for changingthe state of the mechanism; updating the desired state for thecomparison and monitoring a time period until acknowledgment of anupdated state responsive to both the updated instruction and storedpermissible control time periods; and c) identifying states ofelementary functions with sensor signals and comparable information;changing state through the elementary instructions; assigning as adesired state signals from the sensors and the actuators; and definingapplication instructions on logical-functional language level byassignment of elementary instructions.
 2. The method of claim 1, furthercomprising: defining a program module comprising an EF-controller formanaging the states of the elementary functions as ordered actualdesired states and as current actual states from the actuators and thesensors; detecting change in the state of the mechanism through thesensors and assigning the state change to the elementary function ascurrent actual state; and comparing the current actual state with thedesired state.
 3. The method of claim 2, wherein: a) transferring, for adetected actual state of an elementary function that differs rom thedesired state, a signal vector that describes the actual state to aprogram module comprising a not-desired state evaluator; b) storing, inthe not-desired state evaluator, reaction instructions for predeterminedstates of elementary functions that are responsive to the transferredstate; and c) producing error messages that indicate a name of thepredetermined elementary function and a deviating signal.
 4. The methodof claim 3, further comprising: assigning and classifying, to anapplication instruction as an instruction set, the updated desiredstates of the sensors and actuators, control times for the updateddesired state and reaction to deviations instructions, in each case, asreaction instructions for predetermined state messages; deleting saidinstruction set and set prior to the start and after the execution,respectively; applying a predetermined program module of the controlcomprising an instruction starter for organizing the system andreleasing a subsequent instruction when instruction sequences after anexecution message of a previous instruction are effected; and organizingparallel instructions by temporary opening parallel execution sequences.5. The method of claim 4, further comprising: a) providing a programmodule comprising a state monitor for integrating sensor signals andpreselected controllable information into a continuous data word; andmaintaining assigned to the signal the address of a preselectedelementary function in the EF-controller; b) comparing each desiredsignal with the actual signal of the sensor message; c) updating, by themodule state monitor for a detected deviation of an actual signal, theactual signal in the EF-controller as the updated actual state of anelementary function; d) entering, after the updating and transmissionfor evaluation in the EF-controller, the updated signal as an updatedcomparison state in the state monitor so that a comparison in the statemonitor is made to the state evaluated last and each change in state isevaluated once; e) comparing the desired and actual signals in the statemonitor directionally; and comparing, after an interruption for theevaluation of a deviation, at the signal succeeding the interruptionplace, so that each state change is detected and evaluated.
 6. Themethod of claim 5, further comprising: a) entering and storing eachrecorded state change by the program module state monitor in anevent-time protocol; and b) detecting and filtering signal vibrations.7. The method of claim 6, further comprising: a) providing a subdomainexecution computer with the instruction starter, EF-controller,not-desired state evaluator and state monitor after transmission of anelementary instruction to the instruction starter, said computerincluding no check for permissibility; b) determining the execution of areceived instruction by program modules assigned to the executioncomputer; c) providing a subdomain instruction computer of the controlblocking; providing, in said instruction computer, lists for mutuallyexclusive states; managing said lists on a logical-functionalinstruction level; determining a proportion of functional blockings; d)providing, in an application instruction in addition to changableelementary functions, information for setting or deleting preselectedinstructions blockings in the blocking list during or after theexecution of the application instruction.
 8. The method of claim 7,wherein the execution computer and the instruction computer workdecoupled in time by one program step, the method further comprising: a)executing, in the executing part of the control comprising the executioncomputer, a received instruction; checking, in an instruction-managingpart of the control comprising the instruction computer, a subsequentinstruction available to the executing part comprising the executioncomputer in an intermediate storage as instruction buffer; b) updating,after provision of an instruction in the instruction buffer of theexecution computer, the state in the instruction computer to thecondition that will be after the execution of the instruction; andchecking the expected state of the then subsequent instruction forpermissibility in the instruction computer during the execution of thepreceding instruction; and c) resetting the checked instruction from thebuffer instruction if the expected state does not appear; and updatingthe system to error state.
 9. The method of claim 8, wherein applicationinstructions are prepared by steps comprising: a) assigning, to theapplication, functionally definable instructions close to the process bylanguage from the previously defined elementary instructions; saidelementary instructions being single, parallel or as a sequence; b)defining, in the blocking list in the instruction computer, the blockingconditions on instruction level for the updating when activating theapplication instruction; c) determining the reaction instructions forpreselected deviations and determining error messages, and d) filing theinformation in an instruction library; and applying the instructioncontents for application instructions.
 10. The method of claim 9,further comprising: determining, from an application program for theoperation of the mechanism, the sequence of defined applicationinstructions, determining whether instructions are executed sequentiallyor in parallel.
 11. A method for the development of control software fora mechanism by a controller, comprising providing a dialogue system andfurther comprising: a) requesting data of hierarchical functionstructure for the description of the controllable system; b) definingeach lower end of the hierarchical structure as an elementary functionand defining each elementary function with an instruction states in adialogue; c) assigning, according to the elementary instructions,signals of sensors, signals of actuators, control times for transitionbetween the states, and a reference state; d) integrating partialsystems being as elementary functions; e) requiring, in the dialoguesystem, only the primary data listed on the structure and elementaryfunctions for the description of the functionality of the mechanism. 12.The method of claim 11, further comprising establishing and generating,by the dialogue-guided development system after entry of primary data:a) a system elementary instruction storage; b) the EF-controller; and c)desired signal vector and the actual signal vector for the state monitorso that the mechanism is checkable for error-free signal definition inthe reference state and controllable with defined elementary functionsin a state of putting into operation.
 13. The method of claim 12,further comprising limiting changes of information on structure andelementary functions to an editing level.
 14. The method of claim 13,wherein the development system for the definition of applicationinstructions in preselected dialogues performs the steps of: a) offeringelementary instructions of the system for assignment; b) requestingblocking conditions for the blocking list; graphically providing thedata for the requested blockings through selection in the functionstructure; providing formulations of blocking determinations; c)determining reaction instructions for errors; and d) storing,classifying and managing determinations in the instruction library. 15.The method of claim 14, further comprising: a) locally limiting changesof elementary functions; b) providing for the entering, extending orchanging updated application instructions, blocking conditions in theblocking list or error reactions by reaction instructions; c) updatingdefinitions of application instructions and instruction conditions forthe system without any reaction on already defined programs; saiddefinitions being differentiated by the assignment of statusinformation.
 16. An apparatus for controlling a mechanism, comprising a)a plurality of domains, each domains being configured dependent onfeatures of predetermined events; b) an execution computer; a pluralityof program modules, each module being configured for a predeterminedtime-critical events; the computer comprising an instruction starter, anEF-controller, a not-desired state evaluator and a state monitor; c) theexecution computer including a processor for the time-critical events;d) sensors and actuators, the execution computer communicating withcontrollable devices through the sensors, activation of the actuators,desired/actual state comparison, reactions to deviations of the actualstate from the desired state and execution of a received instruction; e)a processor for management of application instructions in instructionlibraries, management of blocking lists, execution of applicationprograms by step-by-step transmission of instructions to the executioncomputer and external communication from the domain of a devicecomprising an instruction computer, and f) a domain applicationcomputer.
 17. The apparatus of claim 16, further comprising: a) acontrol hardware module having fixed instruction sets, the executioncomputer and the instruction computer being included in the controlhardware module; b) switching and indication devices for operation andcommunication; and c) an interface for coupling with an externalcomputer for entering control software.